Use minimal Vault permissions in integration test

andreaso · May 19, 2024 · 61e3fa3 · 61e3fa3
1 parent 3aafb2e
commit 61e3fa3
Show file tree

Hide file tree

Showing 4 changed files with 55 additions and 11 deletions.
diff --git a/.github/workflows/lint-and-test.yaml b/.github/workflows/lint-and-test.yaml
@@ -83,5 +83,6 @@ jobs:
           VALIDATE_PYTHON_ISORT: false
           VALIDATE_PYTHON_MYPY: false
           VALIDATE_PYTHON_PYLINT: false
+          VALIDATE_SHELL_SHFMT: false
           DEFAULT_BRANCH: main
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
diff --git a/integration/docker-compose.yaml b/integration/docker-compose.yaml
@@ -17,7 +17,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-310-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -38,7 +39,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-310-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -60,7 +62,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-311-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -81,7 +84,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-311-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -103,7 +107,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-312-constrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -124,7 +129,8 @@ services:
     environment:
       HV4GHA_KEYNAME: test-312-unconstrained
       HV4GHA_VAULT_ADDR: http://vault-server:8200
-      HV4GHA_VAULT_TOKEN: BatteryStaple
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
     env_file: .env
     command: [import, issue, issue-scoped]
     depends_on:
@@ -133,10 +139,13 @@ services:
   vault-setup:
     image: hashicorp/vault
     environment:
+      HVGHA_VAULT_IMPORT_TOKEN: CorrectHorseImportKey
+      HVGHA_VAULT_SIGN_TOKEN: CorrectHorseSignJWT
       VAULT_TOKEN: BatteryStaple
       VAULT_ADDR: http://vault-server:8200
-    entrypoint: /bin/vault
-    command: [secrets, enable, transit]
+    volumes:
+      - ./setup:/mnt/setup
+    entrypoint: /mnt/setup
     depends_on:
       vault-server:
         condition: service_healthy

diff --git a/integration/setup b/integration/setup
@@ -0,0 +1,34 @@
+#!/bin/ash
+set -o errexit
+set -o nounset
+set -o noglob
+set -o pipefail
+
+# Required env variables
+: "$VAULT_ADDR"
+: "$VAULT_TOKEN"
+: "$HVGHA_VAULT_IMPORT_TOKEN"
+: "$HVGHA_VAULT_SIGN_TOKEN"
+
+vault secrets enable transit
+
+cat <<EOF |
+path "transit/wrapping_key" {
+  capabilities = ["read"]
+}
+
+path "transit/keys/+/import" {
+  capabilities = ["update"]
+}
+EOF
+vault policy write import-key -
+
+cat <<EOF |
+path "transit/sign/+" {
+  capabilities = ["update"]
+}
+EOF
+vault policy write sign-token -
+
+vault token create -no-default-policy -policy=import-key -id="$HVGHA_VAULT_IMPORT_TOKEN" -field=token
+vault token create -no-default-policy -policy=sign-token -id="$HVGHA_VAULT_SIGN_TOKEN" -field=token
diff --git a/integration/testrun.py b/integration/testrun.py
@@ -28,7 +28,7 @@ def key_import() -> None:
         pem_key=b64decode(os.environ["HV4GHA_APP_KEY_B64"]),
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_IMPORT_TOKEN"],
     )
 
 
@@ -38,7 +38,7 @@ def issue() -> None:
     issue_access_token(
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_SIGN_TOKEN"],
         app_id=os.environ["HV4GHA_APP_ID"],
         account=os.environ["HV4GHA_ACCOUNT"],
     )
@@ -52,7 +52,7 @@ def issue_scoped() -> None:
     access_token: TokenResponse = issue_access_token(
         key_name=os.environ["HV4GHA_KEYNAME"],
         vault_addr=os.environ["HV4GHA_VAULT_ADDR"],
-        vault_token=os.environ["HV4GHA_VAULT_TOKEN"],
+        vault_token=os.environ["HVGHA_VAULT_SIGN_TOKEN"],
         app_id=os.environ["HV4GHA_APP_ID"],
         account=os.environ["HV4GHA_ACCOUNT"],
         permissions=req_perms,